What happens is that the eventlog collection daemon first tries to authenticate to the server with the default credential that the daemon is running as. This is a limitation of the programming libraries that we use to build the eventlog daemon on.

The simplest way to avoid this would be to "push" the eventlogs from any servers that this occurs on.

To "push" eventlogs from a server to Logalot, you first install the eventlogd.exe agent on the Windows server you will be pushing the logs from. Place the eventlogd.exe file in the root directory of the c: drive. Get the latest eventlogd.exe from your Logalot server's soe\cgi-bin\ directory.

Next a configuration file must be created to tell the daemon to send new events to the remote Logalot server. The configuration file is called logalot.ini and also must be in the root directory of the c: drive of the "pushing" Windows server.

* host is the ip address of the Logalot server
* tcp port is the port used by mysql on the Logalot server
* log= enter the logfile names that you want to push the logs from.

Now install the eventlog daemon as a service by running:

eventlogd.exe -install_svc

This will load the eventlog policies from Logalot to this server and process the policies locally. The added benefit to this process is that if you have any 'delete' policies, then those logs do not get sent to Logalot, they are filtered out right there on the Windows server.